Hi, our zones are set up to use NSEC3 for authenticated denial of existence. In our setup, we let OpenDNSSEC do zone transfers in and out (as explained before), but on the public distribution master we run periodic checks of all the zones using both ldns-verify-zone and BIND's dnssec-verify program.
This morning, dnssec-verify flagged a problem for one of our zones, where all the problems are related to NSEC3 records which dnssec-verify thinks are missing: Loading zone '255.39.128.in-addr.arpa' from file 'zones/255.39.128.in-addr.arpa' Verifying the zone using the following algorithms: RSASHA256. Missing NSEC3 record for 255.39.128.in-addr.arpa (NAKEP4OF03QEFOD18FBGE5GTKBLV4BHK.255.39.128.in-addr.arpa) Missing NSEC3 record for 10.255.39.128.in-addr.arpa (6U9IB2FVPQS353THQ1SJ2UGN32KFDNDB.255.39.128.in-addr.arpa) ... It does this for all the records in the zone. The checker script preserves a copy of the zone which is flagged with errors. All the "bad" zones do have NSEC3 records in appropriate quantities. The zone has been automatically signed three times where the resulting transferred zone to the slave (or "public master") fails the check: Apr 1 02:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040100 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Apr 1 04:50:07 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040101 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=1(sec) avg=5(sig/sec)] TOTAL[time=1(sec)] Apr 1 06:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040102 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] When I realized this was happening, I manually initiated a signing via "ods-signer sign 255.39.128.in-addr.arpa", and this has apparently cured the problem: Apr 1 07:41:47 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040103 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Now, manually verifying whether the NSEC3 records are OK is currently above what I do... Does anyone have an idea what more needs to be done to zero in on this problem? Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
